Also if you can capture the actual data of those packets, that could shed some light upon their origin. They only appear to be around 30 bytes normally, so for me, that could provide a clue. >>> Amos Jeffries <squid3@xxxxxxxxxxxxx> 6/5/2011 3:55 AM >>> On 05/06/11 16:55, Bal Krishna Adhikari wrote: > On 06/04/2011 12:59 PM, Amos Jeffries wrote: >>>>>> Bal Krishna Adhikari 6/3/2011 6:13 AM >>>>>> >>> Hello, >>> >>> I found a lot of UDP connections that is coming to my proxy servers. >>> I don't find the cause of such one-way traffics to my servers. >>> The sample UDP traffic is as :- >>> >>> 14:00:07.506612 IP 41.209.69.146.10027> x.x.x.x.65453: UDP, length 30 >>> 14:00:07.518118 IP 121.218.37.254.41597> x.x.x.x.64338: UDP, length >>> 30 >>> 14:00:07.572559 IP 85.224.143.193.29978> x.x.x.x.62782: UDP, length >>> 30 >>> 14:00:07.596554 IP 183.87.200.42.36895> x.x.x.x.15786: UDP, length 30 >>> 14:00:07.642820 IP 180.215.37.96.49977> x.x.x.x.49458: UDP, length 30 >>> 14:00:07.653055 IP 117.195.138.64.24314> x.x.x.x.44985: UDP, length >>> 33 >>> 14:00:07.739963 IP 82.31.238.101.50534> x.x.x.x.52750: UDP, length 30 >>> 14:00:07.783452 IP 86.83.107.196.41870> x.x.x.x.62782: UDP, length 30 >>> 14:00:07.809677 IP 94.246.23.15.59003> x.x.x.x.27462: UDP, length 30 >>> 14:00:07.837415 IP 75.156.164.147.49398> x.x.x.x.34847: UDP, length >>> 30 >>> 14:00:07.841668 IP 82.8.212.242.25931> x.x.x.x.24869: UDP, length 30 >>> 14:00:07.841697 IP 89.136.112.99.42182> x.x.x.x.52750: UDP, length 30 >>> 14:00:07.854215 IP 99.191.156.208.18162> x.x.x.x.64338: UDP, length >>> 30 >>> 14:00:07.885386 IP 88.147.72.252.60224> x.x.x.x.19151: UDP, length 30 >>> 14:00:07.960841 IP 68.169.185.192.63480> x.x.x.x.58638: UDP, length >>> 30 >>> 14:00:08.071763 IP 79.113.242.42.31998> x.x.x.x.33995: UDP, length 30 >>> 14:00:08.078260 IP 94.202.49.109.61957> x.x.x.x.26071: UDP, length 67 >>> 14:00:08.101495 IP 82.169.68.179.19605> x.x.x.x.45682: UDP, length 30 >>> 14:00:08.113238 IP 86.99.42.7.15086> x.x.x.x.11706: UDP, length 67 >>> 14:00:08.127979 IP 62.195.70.253.45266> x.x.x.x.37050: UDP, length 30 >>> 14:00:08.163992 IP 2.82.207.195.38343> x.x.x.x.26680: UDP, length 30 >>> 14:00:08.183453 IP 68.81.206.57.25923> x.x.x.x.18378: UDP, length 30 >>> 14:00:08.237689 IP 108.120.241.254.47249> x.x.x.x.39433: UDP, length >>> 30 >>> 14:00:08.256906 IP 99.161.157.254.41719> x.x.x.x.26680: UDP, length >>> 30 >>> 14:00:08.291885 IP 121.136.175.247.12577> x.x.x.x.16485: UDP, length >>> 67 >>> 14:00:08.315427 IP 121.144.158.120.30845> x.x.x.x.61415: UDP, length >>> 30 >>> 14:00:08.317404 IP 115.117.219.18.25817> x.x.x.x.59936: UDP, length >>> 30 >>> >>> Anyone has any idea if the traffic is genuine or some kind of attack ? >>> x.x.x.x is my proxy server. >>> >>> --- Bal Krishna >>> >> >> On 04/06/11 01:16, Chad Naugle wrote: >> > Check the hostname of these IP addresses. They could be DNS replies, >> > using random ports for source/destinations. Squid can generate tons of >> > DNS traffic. >> >> >> I don't think its genuine Squid traffic. DNS, ICP and HTCP all use a >> fixed well-known port at one end and a rarely changing port at the other. >> >> It could be anything else on the box though. >> >> There are a few CVE attacks this could be, two using DNS and one HTCP. >> If you have a Squid 2.7.STABLE8+, 3.0.STABLE23+ or 3.1.1+ you are safe >> from those. They are just annoying. >> >> If you have a Squid-3.1+ with an IPv6 address publicly advertised this >> could be a sign of v6 connection attempts. Several IP tunnel protocols >> involve UDP handshakes. >> >> Amos > > I'm currently using 2.7 STABLE9. > And the connection seems increased then earlier. > Blocking the UDP other then DNS and SNMP from outside can solve the > problem ? We can't answer that. It may not be a problem. You need to find out what it actually is. Blocking it will stop it doing anything, but until you know what it is that may just be creating a different problem. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2 Travel Impressions made the following annotations ------------------------------------------------------------- "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
